Assumed security is an insider threat, hiding in plain sight

Explore our weekly delivery of inspiration, insights, and exclusive interviews from the global BHMEA community of cybersecurity leaders.

Keep up with our weekly newsletters on LinkedIn — subscribe here. 

Build security resilience with analyses and interviews from the global Black Hat MEA community – in your inbox every week. 

This week we’re focused on…

Insider threats. But not the kind you’re thinking of. 

An insider threat is usually thought to be a person: an employee, contractor or partner with legitimate access who can harm the organisation, intentionally or accidentally. The US federal agency CISA defines it as the potential for an insider to use authorised access or organisational knowledge to cause harm; NIST similarly includes unwitting misuse of authorised access.

But new research from Horizon3 points to a less obvious version of the same problem. The insider is not necessarily a disgruntled administrator – it could be the internal process everyone trusts. 

Security teams scan, patch, rescan, close tickets, update dashboards. Report their progress, and go again.

And if you treat that activity as proof of resistance to threats, it could be dangerous. 

Confidence is outrunning confirmation

The report, based on 750 cybersecurity professionals surveyed in November 2025, shows a serious confidence gap. 

Among CISOs: 

• 93% say they could prove their organisation took reasonable, validated steps to prevent a breach. 
• 97% are confident endpoint protection would detect lateral movement or privilege escalation. 
• 96% believe their SOC could identify an attacker already operating inside the environment. 

Those numbers sound reassuring – but the validation data says otherwise: 

• Only 12% of CISOs say they tested EDR effectiveness in the last three months.
• Only 26% use red team exercises or pentesting to assess SOC detection capability. 
• Among practitioners, just 29% test their SOC’s ability to detect attacks monthly or more often.

That’s the heart of assumed security. The organisation believes the control works because the control exists. It believes the process reduced risk because the workflow completed.

Attackers don’t care whether the ticket is closed – they care whether the path still works.

Patch, scan, assume

The same pattern appears in vulnerability management. Only 30% of CISOs say their organisations patch and then test exploitability using real exploits or adversarial tools. Nearly half patch and rescan with a vulnerability scanner. Another 17% patch and assume closure.

Practitioners see the weakness more directly: 33% assume scanner findings are accurate without further validation, while 17% do not validate findings at all. The report also notes that practitioners estimate roughly a quarter of scanner output is low-value or false positive.

That makes assumed security a real operational risk. A scanner can confirm that a patch appears to be applied. But it can’t, by itself, prove that privileges were reduced, credentials were secured, or chained weaknesses were removed.

So the insider threat here is the internal belief that ‘patched’ means safe. 

Automation can make the assumption faster

AI adds another twist. The report finds that 60% of CISOs say AI is fully integrated into vulnerability management or remediation workflows, while 51% of practitioners are piloting AI-driven patching, ticketing or remediation systems.

Yet only 17% of CISOs independently test AI-generated recommendations using their own tools.

It’s not a reason to reject automation, but we have to pair speed with verification. AI can prioritise, route and close faster. But without retesting, it may simply industrialise false confidence.

Assumed security becomes an insider threat because it uses trusted internal access to weaken the organisation from within. All organisations need to recognise that confidence does not reduce exposure – only testing does.

We want to know what you think 

Open this newsletter on LinkedIn and tell us in the comments: how can organisations mitigate the risk of assumed security? We might get in touch to feature your perspective in a future newsletter.